Browser based method of assessing web application vulnerability

US 9,264,443 B2
Filed: 08/25/2008
Issued: 02/16/2016
Est. Priority Date: 08/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method of assessing a vulnerability of an active web form during a browsing session, said method comprising the steps of:

browsing the active web form by a user;

monitoring one or more HTTP requests transmitted from said browser to a server during the browsing session by a browser add-on, wherein the one or more HTTP requests result from the user interacting with the active web form;

analyzing by the browser add-on said one or more HTTP requests to detect one or more testable entities;

executing at the server one or more security vulnerability tests for only said one or more testable entities detected while a response page corresponding with the one or more HTTP requests of the active web form is loading during the browsing session;

displaying the results of said one or more security vulnerability tests; and

if the results to the one or more security vulnerability tests are positive, displaying the results of the one or more security vulnerability tests of a previous page corresponding with the active web form on the response page.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel and useful mechanism and method for assessing the vulnerability of web applications while browsing the application. As a user interacts with the web application, HTTP requests are sent from the browser to the web server. Each HTTP request is analyzed to determine if its associated elements need testing. Vulnerability assessment tests are sent to the server. Test results are then returned to the browser, where they are analyzed, displayed and/or stored in a log file.

Citations

25 Claims

1. A method of assessing a vulnerability of an active web form during a browsing session, said method comprising the steps of:
- browsing the active web form by a user;
  
  monitoring one or more HTTP requests transmitted from said browser to a server during the browsing session by a browser add-on, wherein the one or more HTTP requests result from the user interacting with the active web form;
  
  analyzing by the browser add-on said one or more HTTP requests to detect one or more testable entities;
  
  executing at the server one or more security vulnerability tests for only said one or more testable entities detected while a response page corresponding with the one or more HTTP requests of the active web form is loading during the browsing session;
  
  displaying the results of said one or more security vulnerability tests; and
  
  if the results to the one or more security vulnerability tests are positive, displaying the results of the one or more security vulnerability tests of a previous page corresponding with the active web form on the response page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein said one or more HTTP requests are issued by an element of said active web form.
  - 3. The method according to claim 1, wherein one or more of said one or more testable entities is not displayed on said active web form.
  - 4. The method according to claim 1, wherein said step of analyzing comprises the steps of:
    - generating one or more tests for each of said one or more testable entities to be analyzed;
      
      transmitting said one or more tests to said server; and
      
      receiving a response to each of said one or more tests.
  - 5. The method according to claim 4, wherein said step of generating is executed by said browser.
  - 6. The method according to claim 4, wherein said step of transmitting is executed by said browser.
  - 7. The method according to claim 2, wherein said step of receiving is executed by said browser.
  - 8. The method according to claim 2, wherein said one or more tests are executed by said server.

9. A method of assessing the a vulnerability of an active web form during a browsing session, said method comprising the steps of:
- browsing the active web form by a user;
  
  monitoring one or more HTTP requests transmitted from said browser to a server during the browsing session by a browser add-on, wherein the one or more HTTP requests result from the user interacting with the active web form;
  
  analyzing by the browser add-on said one or more HTTP requests to detect one or more testable entities;
  
  executing at the server one or more security vulnerability tests for only said one or more testable entities detected, while a response page corresponding with the one or more HTTP requests of the active web form is loading during the browsing session;
  
  saving the results of said one or more security vulnerability tests to a log file; and
  
  if the results to the one or more security vulnerability tests are positive, displaying the results of the one or more security vulnerability tests of a previous page corresponding with the active web form on the response page.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method according to claim 9, wherein said one or more HTTP requests are issued by an element of said active web form.
  - 11. The method according to claim 9, wherein said step of analyzing comprises the steps of:
    - generating one or more tests for each of said one or more testable entities to be analyzed;
      
      transmitting said one or more tests to said server; and
      
      receiving a response to each of said one or more tests.
  - 12. The method according to claim 11, wherein said step of generating is executed by said browser.
  - 13. The method according to claim 10, wherein said step of transmitting is executed by said browser.
  - 14. The method according to claim 10, wherein said step of receiving is executed by said browser.
  - 15. The method according to claim 10, wherein said one or more tests are executed by said server.

16. A computer program product for assessing a vulnerability of an active web form during a browsing session, the computer program product comprising:
- a non-transitory computer usable medium having computer usable code embodied therewith, the computer program product comprising;
  
  computer usable code configured for browsing the active web form by a user;
  
  computer usable code configured for monitoring one or more HTTP requests transmitted from said browser to a server during the browsing session by a browser add-on, wherein the one or more HTTP requests result from the user interacting with the active web form;
  
  computer usable code configured for analyzing by the browser add-on said one or more HTTP requests to detect one or more testable entities;
  
  computer usable code configured for executing at the server one or more security vulnerability tests for only said one or more testable entities detected while a response page corresponding with the one or more HTTP requests of the active web form is loading during the browsing session;
  
  computer usable code configured for displaying any detected the results of said one or more security vulnerability tests; and
  
  if the results to the one or more security vulnerability tests are positive, computer usable code configured for displaying the results of the one or more security vulnerability tests of a previous page corresponding with the active web form on the response page.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product according to claim 16, wherein said computer program product comprises a web browser plug-in.
  - 18. The computer program product according to claim 16, wherein said one or more HTTP requests are issued by an element of said active web form.
  - 19. The computer program product according to claim 16, wherein one or more of said one or more testable entities is not displayed on said active web form.
  - 20. The computer program product according to claim 16, wherein said computer usable code configured for analyzing comprises:
    - computer usable code configured for generating one or more tests for each of said one or more testable entities to be analyzed;
      
      computer usable code configured for transmitting said one or more tests to said server; and
      
      computer usable code configured for receiving a response to each of said one or more tests.

21. A computer program product for assessing the vulnerability of an active web form during a browsing session, the computer program product comprising:
- a non-transitory computer usable medium having computer usable code embodied therewith, the computer program product comprising;
  
  computer usable code configured for browsing the active web form by a user;
  
  computer usable code configured for monitoring one or more HTTP requests transmitted from said browser to a server during the browsing session by a browser add-on, wherein the one or more HTTP requests result from the user interacting with the active web form;
  
  computer usable code configured for analyzing by the browser add-on said one or more HTTP requests to detect one or more testable entities;
  
  computer usable code configured for executing by the server one or more security vulnerability tests for only said one or more testable entities detected while a response page corresponding with the one or more HTTP requests of the active web form is loading during the browsing session;
  
  if the results to the one or more security vulnerability tests are positive, computer usable code configured for displaying the results of the one or more security vulnerability tests of a previous page corresponding with the active web form on the response page;
  
  computer usable code configured for saving the results of said one or more security vulnerability tests to a log file; and
  
  computer usable code configured for displaying said log file.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer program product according to claim 21, wherein said computer program product comprises a web browser plug-in.
  - 23. The computer program product according to claim 21, wherein said one or more HTTP requests are issued by an element of said active web form.
  - 24. The computer program product according to claim 21, wherein one or more of said one or more testable entities is not displayed on said active web form.
  - 25. The computer program product according to claim 21, wherein said computer usable code configured for analyzing comprises:
    - computer usable code configured for generating one or more tests for each of said one or more testable entities to be analyzed;
      
      computer usable code configured for transmitting said one or more tests to said server; and
      
      computer usable code configured for receiving a response to each of said one or more tests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
International Business Machines Corporation
Inventors
Weisman, Omri
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US12/197,461
Publication Number

US 20100050263A1
Time in Patent Office

2,731 Days
Field of Search

726/25, 726/5, 1/1, 709/204, 709/219, 709/227
US Class Current

1/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Browser based method of assessing web application vulnerability

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Browser based method of assessing web application vulnerability

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links